Mimetypes coming from package mime-support cannot be removed
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apache2 (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Bug Description
Hi!
Explanation from httpd.apache.org (http://
Files can have more than one extension, and the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr maps onto content type text/html and language French then the file welcome.fr.html will map onto exactly the same information. If more than one extension is given that maps onto the same type of meta-information, then the one to the right will be used, except for languages and content encodings. For example, if .gif maps to the MIME-type image/gif and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with the MIME-type text/html.
On several PHP-based web-applications file(-upload) filtering is based on the last file-extension. If you want to prevent php processing for malicious files one could use a pattern like
\.php[45]?$
But as Apache supports "Multiple Extensions", also files like index.php.abc will be handed over to PHP preprocessor. If you would prefer only the last dot-separated part of the filename to be mapped to a particular piece of meta-data, apache suggests to use "SetHandler". A PHP solution would be
<FilesMatch \.php[45]?$>
</FilesMatch>
As apache2.2-common depends on mime-support it is already aware of php mime-types. Btw. this makes it totally useless to register these mime-types with file php5.conf in package libapache2-mod-php5 again.
Because of the already registered mime types in /etc/mime.types you have to unregister these to only map files based on the last dot-separated part of the filename. To get rid of them you should be able to place
RemoveHandler .php .php4 .php5 .phps .pht .phtml
RemoveType .php .php4 .php5 .phps .pht .phtml
somewhere in apache2.conf or php5.conf. Unfortunately this does not work!! Apache then still knows what do do with index.php.
I'm unsure what package to blame; "mime-support" for listing php mime types or "apache2.2-common" for not being able to unregister them.
| description: | updated |
| Changed in apache2: | |
| status: | New → Confirmed |
| Changed in apache2 (Ubuntu): | |
| importance: | Undecided → Low |
| Seth (bugs-sehe) wrote | #1 |
| Stefan Fritsch (sf-sfritsch) wrote | #2 |
| Changed in apache2 (Ubuntu): | |
| status: | Confirmed → Fix Committed |
| Changed in apache2 (Ubuntu): | |
| status: | Fix Committed → Fix Released |
is there a workaround? I'm really stuck with my mirrored website and I don't want to hand-edit all pages to rename the dang file...